Google Removes Chrome Extension Used in Banking Fraud

Google has removed from the Chrome Web Store a malicious browser extension used by criminals in Brazil to target corporate users with the aim of stealing banking credentials.

The twist is that the attackers did their homework on their targets, learning via social networks whom inside an organization was closely involved in making financial transactions. Those victims were then contacted over the phone by the criminals posing as bank employees who urged the victims to install an update to the bank’s security module, otherwise threatening them that they would lose access to their account.

The victims who complied, instead were installing a Chrome extension called Interface Online (see below) offered by Internet Security Online. The extension was available on Tuesday in the store and there were at least 30 downloads. As of this morning, it was no longer available.

Renato Marinho, chief research officer of Morphus Labs and SANS Internet Storm Center handler disclosed the scam Tuesday on the ISC site. Marinho said the scammers are focused on only a few corporate targets and the malware has relatively few detections on VirusTotal.

Kaspersky Lab researcher Fabio Assolini said the attack was found on Aug. 8 and command and control servers were identified and blocked by the company’s products. The C2 server, however, is still up and running, Marinho said. He confirmed that this was not a widespread attack and that other attackers had used malicious extensions in other attacks in Brazil, including some targeting Boletos, a popular payment system in the country.

The pressure-filled phone call to the banks includes instructions on how to update the supposed security module. The victim is provided with a web address over the phone and when they click “Install,” they are redirected to the extension’s installation page, hosted in the Chrome Store.

The fraudster keeps the victim on the line throughout the installation process and once it’s complete, has them test their access to the corporate bank account. As they enter their credentials, the data is sent to the attackers in the background. Ironically, a description of the extension explains that it can read and change data on websites the victim visits, and continue to monitor browsing activity on the victim’s version of Chrome.

“I’ve had the opportunity to listen to one of those calls and I must admit that they make it in a professional way,” Marinho told Threatpost. “They previously collect public information (Google and social networks) about the target to use during the call if necessary. Their speech follows the default call center style and it seems that they are talking from real call center due to the background noise. I believe that this mix maximizes their success rates.”

Marinho explained that there is a trigger that activates the malware; static analysis of the source code revealed that there is malicious JavaScript that waits until the victim tries to access a corporate banking login page. He also learned that the extension was granted extraordinary permissions in order to connect out to the attacker’s server via an HTTPS connection and transmit the stolen credentials.

“In my opinion, the criminals are shifting from the traditional [malicious spam] to targeted and more creative attack methods here in Brazil,” Marinho said. ‘It’s getting common to have victims reporting that they are receiving phone calls from someone pretending to be from a bank and urging the victim to do something, like installing a fake security module, this case, or asking them to type the token combination on a fake website.”

These attacks are just the latest in a growing trend of fraud exploiting Chrome extensions. In the last two weeks, researchers have reported at least eight popular Chrome plugins had been hijacked and were being abused to manipulate internet traffic and serve ads in the browser.

Proofpoint said yesterday that the Web Developer (0.4.9), Chrometana (1.1.3), Infinity New Tab (3.12.3), Web Paint (1.2.1), and Social Fixer (20.1.1) plugins were hijacked; it also believes TouchVPN and Betternet VPN were also compromised in the same way at the end of June. On Aug. 1, A9t9 reported that the optical character recognition extension called Copyfish was hijacked and used to insert ads into the browser.